1 Introduction

Cybersecurity has gained traction as a research topic in view of new business technologies, the rise of remote work, expansion of online sales and recent cyber scandals. Cyber attacks have become one of the greatest threats to organizations (Foglietta et al., 2018). Key U.S. senators have asked public companies to step up their cybersecurity measures, noting that “as our society increasingly relies on technology, businesses across all sectors of the economy must prioritize cybersecurity. A single cyberattack can cripple even the most sophisticated firms, and the public has a right to know whether companies are focused on preventing cybersecurity threats.“Footnote 1

In a report containing its priorities for 2020, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission indicates that the OCIE would continue to prioritize information security in each of its five examination programs. These programs focus mainly on proper configuration of network storage devices, information security governance generally and retail trading information security (SEC, 2020). The report emphasizes that culture, tone at the top and board oversight practices are key factors in protecting against cyber attacks. Board members appear to agree with the urgency of the problem: a survey of directors of U.S. public companies by the National Association of Corporate Directors (NACDFootnote 2) in 2016–2017 indicates that 58% of respondents considered cybersecurity to be a significant risk that should be monitored. This denotes additional responsibilities for boards of directors, which have become more concerned than ever about the type of cybersecurity information to disclose and when and how to disclose it.

Overall, cybersecurity has become a top priority for boards (Li et al., 2018) and their most pressing governance issue (World Economic Forum, 2019). For their part, stakeholders interested in firms’ cyber-risk management have lobbied for a corporate disclosure strategy that includes cyber risk information (Radu & Smaili, 2021). An effective board is a board that reaches its objectives (Van den Berghe & Baelden, 2005) and board effectiveness is determined by board’s attributes and composition, such as board independence (Garcia-Meca & Sanchez-Ballesta, 2010), board size and split of chairman and CEO roles (Lorca et al., 2011).

Given these diverse stakeholder and regulatory pressures on the board of directors to enhance cybersecurity disclosure, an important question arises: Is an effective board of directors associated with cybersecurity disclosure? In this study, we empirically examine whether the board of directors is linked with the decision about producing a cybersecurity disclosure and the attendant choices regarding the scope it should have. John & Senbet (1998) suggest that a board’s effectiveness in monitoring management is determined by its composition, independence and size. Accordingly, we examine these three traditional board characteristics to probe the role of the board of directors in management’s disclosure decisions and the volume of their disclosure.

We assume there is a positive link between the board of directors and cybersecurity disclosure for different reasons. First, the board of directors, the central corporate governance mechanism, is responsible for risk management (Tricker, 2019). As cyber risk is one of the greatest risks facing businesses (World Economic Forum, 2019), the boardroom expects to have discussions about cybersecurity and ask management key questions. Stakeholders may judge the board of directors’ quality by how it manages cyber risk and the amount of cybersecurity information disclosed. Second, the board of directors has a duty to consider the legal and financial ramifications of a cyberattack in its assessment of the firm’s risks. Cyber attacks are a major corporate expense, as shown by the $1.7 billion price tag for the Equifax cyber breach in 2017 (Audit Analytics, 2020). Thus, the board should consider the business impacts of cyberattacks, litigation and regulatory exposure when discussing cybersecurity risks. Enhancing cybersecurity disclosure signals the board’s capacity to anticipate cyber attacks and to protect stakeholders’ interests. Third, according to stakeholder theory, an effective board of directors might reduce the asymmetry of information between management and stakeholders. Regarding cybersecurity issues, we therefore expect the board of directors to act as a corporate governance mechanism that reduces information asymmetry regarding cybersecurity. Finally, according to signalling theory and stakeholder theory, the board might enhance cybersecurity disclosure to reassure stakeholders that it is acting in their interests.

Based on stakeholder and signalling theories and the disclosure literature, we expect that board effectiveness will be associated with the firm’s decision to disclose cybersecurity-related information. We also hypothesize that several one-dimensional measures of board effectiveness will have a positive effect on cybersecurity disclosure volume, these measures being board independence, board size and board financial expertise. Using a regression model, we test our hypothesis on a sample of 300 firm-year observations. Results show that firms with greater board effectiveness are more transparent and decide to disclose cybersecurity-related information. More independent board members and boards with more members with financial expertise also report an increased volume of cybersecurity disclosure, whereas board size does not seem to have any influence.

Overall, our study makes a threefold contribution to the literature. First, our findings provide insight on the role of corporate governance in risk disclosure. The limited prior research on disclosure of business risks focused narrowly on firm characteristics such as firm size, financial performance and industrial sector as determinants of this disclosure (Amran et al., 2009; Lopes & Rodrigues, 2007; Oliveira et al., 2011). However, the board’s impact remains largely unexamined. Our study therefore complements the literature on risk disclosure by shedding light on the impact of board effectiveness on cybersecurity disclosure. Second, we also contribute to the recent cybersecurity literature. Although previous studies examined cybersecurity from various research perspectives such as technical approaches (Assante & Tobey, 2011; Jang-Jaccard & Nepal, 2014; Torres et al., 2019) and ethical approaches (Radu & Smaili, 2021), research on the role of cybersecurity in private and public companies is still relatively scarce. Third, among the future research avenues proposed, there is an expectation that voluntary disclosure would be examined from different perspectives and in different contexts (Bravo, 2018; Li et al., 2018). Prior research on corporate governance has focused on the role, power and effectiveness of the board of directors and the impact of having a powerful and effective board Davis, 1996; Ingley & Van der Walt, 2001; Krause et al., 2013; Lorsch & MacIver, 1989; Nicholson & Kiel 2004; Schmidt & Brauer, 2006), but there is little research on cybersecurity governance on the board level. In addition, although corporate governance literature has extensively analyzed associations between corporate governance mechanisms and voluntary disclosure of financial, environmental and sustainable risks, the board’s role in cybersecurity disclosure has been neglected (Rothrock et al., 2018). This is surprising, as boards have the resources and expertise to enhance this disclosure. To the best of our knowledge, this is the first study that empirically investigates the relation between the board’s effectiveness and characteristics and cybersecurity disclosure.

Our findings add to the debate about why corporate governance matters. They also contribute to the corporate governance literature by providing evidence that board power could lead to extended disclosure of cyber risks.

Our results have practical implications for different stakeholders. Regulators can benefit from our findings and make recommendations on board composition. Additional disclosure requirements, guides and regulations could help firms improve their cyber risk assessment, management and disclosure. As independent board members and directors with financial expertise have a positive effect on disclosure of cybersecurity information, investors should ask for more independent boards with diversified expertise, including financial expertise. Cybersecurity is an emerging field that requires multi-faceted expertise; firm managers and board members should therefore have appropriate training and diversified skills.

The remainder of this paper is organized as follows. The next section presents the literature review and is followed by the hypothesis development in Sect. 3 and the research methodology in Sect. 4. Section 5 presents our results, and the last section contains our discussion and conclusion.

2 Board of directors’ cybersecurity oversight role

2.1 Definition of cybersecurity and cybersecurity disclosure

Although cybersecurity is a term extensively used by practitioners and researchers, there is still no consensus in the literature on a general definition. Cybersecurity is a multidimensional concept, and definitions have emerged from different research perspectives. The most widely used technical definition of cybersecurity is “the safeguarding of computer networks and the information they contain from penetration and from malicious damage or disruption” (Lewis, 2006, p. 1). Craigen et al., (2014) identified technical solutions, events, strategies, processes and methods, human engagement and referent object of security as the dominant themes of cybersecurity. They developed the following multidisciplinary definition of cybersecurity: “the organization and collection of resources, processes, and structures used to protect cyberspace and cyber-enabled systems from occurrences that misalign perceived (de jure) from actual (de facto) property rights” (Craigen et al., 2014, p. 17). Using input from stakeholders from across the country, Public Safety Canada defines cybersecurity as “the protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability” (Public Safety Canada, 2018, p. 33).

Cybersecurity is a dynamic and expanding field (Newhouse et al., 2017; Radu & Smaili, 2021) recently proposed a cyber-business ethical approach based on a multi-stakeholder perspective. Concerned with the ethical principle of privacy, shareholders, along with consumers, managers, employees, and even society as a whole, are interested in firms’ cybersecurity management, including its technical, financial and ethical risk perspectives. Other practitioner perspectives highlight the shortage of qualified labour as a major problem for companies (Moriarty, 2020).

Firms use cybersecurity disclosure to inform various stakeholders about their approaches to cybersecurity. Since 2011, U.S. firms have been subject to disclosure obligations requiring discussions and analysis of cybersecurity risks and cyber-attack incidents (Grant & Grant, 2014). The SEC disclosure guidance treats cyber risks like any significant business risk requiring disclosure. In Canada, various regulations on cybersecurity disclosure have been issued to guide firms on disclosure of cybersecurity risks and incidents (CSA, 2013, 2016, 2017a, b).

Risk-related disclosure is a mainly descriptive activity prescribed by regulation, and it begs improvement (Campbell et al., 2014; Hernández-Madrigal et al., 2012). For example, Li et al., (2018) recently found evidence of a positive association between cybersecurity risk disclosure and upcoming cybersecurity incidents prior to SEC guidance on cybersecurity risk disclosure, an indication of the relevance of this form of disclosure. Although, no association was found after the issue of this guidance in 2011, suggesting that firms with no material cybersecurity risks start to disclose boilerplate cybersecurity risk-related information after the SEC stressed the importance of this disclosure. We suggest later in this paper that an effective board of directors could be an effective corporate governance mechanism to help improve disclosure practices.

2.2 The board’s oversight role

The board of directors and its committees, such as the audit committee and the risk management committee, are crucial corporate governance players in corporate risk management (Fama & Jensen, 1983; Jensen & Meckling, 1976; Kamiya et al., 2020). One of the board’s most important roles is to protect organizations against significant risks (Xie et al., 2019). As cyber breaches become more frequent, the board is expected to effectively oversee the organization’s response to cyber risks. The board is ultimately responsible for identifying, responding to, reducing and communicating the main organizational risks. In particular, the board of directors and its audit committee must first understand the organization’s cyber risk context and business environment to better identify cyber risk (Lankton et al., 2020). Second, the board has the responsibility to ensure that management implements preventive and detective controls. It must also communicate informative data and material information to investors, most notably material information regarding cyber attacks (CSA, 2017a; SEC, 2018). Li et al., (2018) note that cybersecurity risk disclosure has attracted a great deal of attention in recent years, especially after the adoption of cybersecurity disclosure guides and regulations. Consequently, disclosure of cybersecurity information has become one of the board’s top priorities (Li et al., 2018).

Cybersecurity strategy planning is an important board task, particularly communicating material risks to stakeholders. Kure et al., (2018) suggest that the board is a crucial player in implementing effective cybersecurity risk management. Kamiya et al., (2020) provide evidence on the board’s role in reducing the impacts of cyber attacks on the firm’s stakeholders. Shareholder wealth loss due to a cyber attack involving personal information is lower when the board pays more attention to cyber-risk management before the attack (Kamiya et al., 2020).

However, there is a dilemma regarding the firm’s decision to disclose cybersecurity information. Firms under stakeholder pressure have incentives to disclose more information to respond to growing demand from these parties (mainly investors). At the same time, disclosing cybersecurity information has its drawbacks. Risk disclosure can negatively affect a business’s market value by triggering an increase in the cost of capital and making confidential information available to competitors (Kothari et al., 2009). If a company is at high cybersecurity risk, alerting investors through a disclosure can put it in a difficult situation. As a result, firms are less likely to disclose information on cyber risks (Li et al., 2018). In addition, risk disclosure could provide key information to cyber criminals about the firm’s vulnerabilities. As disclosing information on cyber attacks precipitates a sizeable negative stock market reaction, managers withhold negative information on the more severe attacks (Amir et al., 2018). In sum, the board of directors experiences all sorts of pressure regarding the decision to disclose or withhold cybersecurity-related information.

3 Hypothesis development

3.1 Board effectiveness

The board of directors monitors management on behalf of shareholders (Jensen & Meckling, 1976; John & Senbet, 1998). However, the firm is a complex nexus of contracts (Jensen & Meckling, 1976; Winter & Williamson, 1991) between shareholders and other stakeholders (Freeman, 2010; Mintzberg, 1983). According to stakeholder theory, the board’s role extends beyond controlling and motivating top management to maximize shareholders’ wealth; rather, it should balance, respond to and fulfill conflicting stakeholder demands (Hung, 1998; Pigé, 2002). Many of these stakeholders exert pressure to obtain more information about firms’ cyber risks and cybersecurity. As the board is essential to risk management activities (Ingley & Van Der Walt, 2008) and it oversees and monitors risks (Raber, 2003), including cyber risk, as part of its fiduciary role, the stakeholder theory view of the board considers that the board balances and responds to the diverging interests of stakeholders. This could explain the decisions that the board makes regarding cybersecurity disclosure decisions.

An effective board is a board that reaches its objectives (Van den Berghe & Baelden, 2005). Hence, an effective board is aware of these demands and therefore discloses cyber-related information. The determinants of board effectiveness are board independence, size and composition (John & Senbet, 1998), complemented by other board’s attributes, such as: audit committee independence, split of chairman and and CEO roles, level of director ownership and director’s expertise (Lorca et al., 2011).

Stakeholders build their perception of board effectiveness by reading the firm’s corporate disclosure. There is a trade-off between disclosing cyber-risk information, which is valuable for investors, and withholding this information, since hackers and cyber criminals could use it against the firm (Li et al., 2018; Wang et al., 2013). Based on signalling theory (Akerlof, 1978), disclosing good news is an opportunity for the board and management to signal that the firm is in a good position and is adept at managing risk (Allini et al., 2016; Verrecchia, 1983) has analyzed managers’ decisions to disclose or withhold information and found that there are proprietary costs related to disclosure that could be a motivation for withholding information (Verrecchia, 1983). Nondisclosed information could be unreleased bad news, or it could be good news that is not sufficiently positive to offset proprietary costs. It could also be the motivation for withholding nonproprietary information, as long as it interrelates with other proprietary information (Dye, 1985). Consequently, Amir et al., (2018) find evidence of managers withholding information about severe cyber-attacks to avoid triggering a decrease in equity value on the market.

Boards that are more effective are committed to risk management and disclosure of risk-related information in their response to shareholders demands (Ben-Amar & McIlkenny, 2015). Empirical evidence indicates that board effectiveness is related to the decision to produce disclosures but not to the amount of the disclosure (Ben‐Amar & McIlkenny, 2015; Rankin et al., 2011).

In conclusion, based on stakeholder and signalling theories and prior literature, we predict an association between board effectiveness and the decision to disclose cybersecurity-related information. Our first hypothesis is as follows.

H1: Board effectiveness is associated with the decision to disclose cybersecurity information.

This prediction holds in in a context similar to that of Canadian risk management reporting disclosure. We follow with a more detailed analysis of some dimensions of board effectiveness, namely board independence, board size and board expertise, and their influence on the amount of cybersecurity disclosure.

3.2 Board independence

The literature has extensively explored the effect of independent directors on the firms’ outcomes and disclosure. Independent (outside) and inside directors have different functions. Independent directors monitor top management and shape strategic directions, while inside directors provide internal information to independent directors (Coles et al., 2008; Jensen, 1993; Lipton & Lorsch, 1992). Stakeholder theory suggests that the presence of independent directors should increase disclosure, as independent directors better represent the firm’s external environment and diverse stakeholders demands (Hung, 1998). Boards with a higher proportion of independent directors more effectively exercise the board’s fiduciary role of monitoring top managers and ensure they act on behalf of shareholders and other stakeholders (Rosenstein & Wyatt, 1990). This improves the quality of organizational reporting.

Empirical research on the impact of board independence on disclosure shows mixed results. Some research supports the positive association between board independence and disclosure (Khan et al., 2013; Liao et al., 2015), and more particularly, risk disclosure (Abraham & Cox, 2007; Elshandidy et al., 2013; Oliveira et al., 2011; Allini et al., 2016) find no significant relationship between risk disclosure and the presence of independent directors, while Eng & Mak (2003), drawing on a sample from Singapore, show a negative impact of independent directors on disclosure. They interpret this effect as being related to the specific character of the Singapore Stock Exchange, which allows blockholders to elect independent directors to represent them, possibly resulting in blockholders receiving information directly as a substitute for disclosure.

As evidence is lacking on the impact of board characteristics on risk disclosure (Allini et al., 2016; Bravo, 2018; Li et al., 2018; Ntim & Soobaroyen, 2013), we explore this relationship, but with cybersecurity risk-related disclosure. Based on the predictions of stakeholder theory and prior research, we assume that board independence has a positive effect on cybersecurity disclosure. Accordingly, we propose this second hypothesis.

H2: Board independence is positively associated with cybersecurity-related disclosure.

3.3 Board size

Prior studies on corporate governance consider board size to be a fundamental characteristic affecting board effectiveness (Donnelly & Mulcahy, 2008; Luo, 2005). A larger board is more efficient in monitoring and advising management (De Andres & Vallelado, 2008). It brings together a diversity of expertise and experience leading to increased disclosure and transparency (Gandía, 2008; Hidalgo et al., 2011; Samaha et al., 2015). However, it also produces more discussion and arguments, with potential erosion of board cohesiveness and effectiveness (Coles et al., 2008; Lipton & Lorsch, 1992).

Empirical research finds mixed results on the association between board size and disclosure. Some research suggests a positive relation (Abeysekera, 2010; Allegrini & Greco, 2013; Husted & de Sousa-Filho, 2019; Samaha et al., 2015), although Prado-Lorenzo & Garcia-Sanchez (2010) and Giannarakis (2014) find no relation between board size and disclosure. Recent studies on risk disclosure in particular provide evidence of a positive association between board size and risk disclosure (Allegrini & Greco, 2013; Elshandidy et al., 2013; Elshandidy & Neri, 2015; Ntim & Soobaroyen, 2013).

In conclusion, larger boards, with their diversified experience and expertise, increase firm transparency and are more likely to disclose cybersecurity risk-related information. We therefore state the following hypothesis:

H3: Board size is positively associated with cybersecurity disclosure.

3.4 Board financial expertise

The Canadian Securities Administrators (CSA) prescribes disclosure obligations regarding cybersecurity risks. However, the accounting profession in Canada has stated that “significant judgement must be exercised in determining whether cybersecurity risks and incidents are material and require disclosure” (Canada, 2017, p. 2). The CSA has examined corporate disclosure regarding the person, group or committee responsible for cybersecurity strategy and found that the audit committee is most often responsible for overseeing cybersecurity risks (CSA, 2017a). Canadian regulation requires that every audit committee member be financially literate (Ontario Securities Commission, 2015). As financial expertise seems important for overseeing risks (including cybersecurity risks) and making disclosure decisions in that regard, we investigate the impact of board financial expertise on cybersecurity disclosure.

Prior studies show that directors with financial and accounting expertise monitor management more effectively (Erickson, Park, Reising, & Shin, 2005). Directors’ financial and accounting expertise improves risk assessment and management (Elzahar & Hussainey, 2012). Boards with directors who have accounting and financial expertise are more effective in reducing information asymmetry by disclosing this information to shareholders and stakeholders (Elzahar & Hussainey, 2012; Minton et al., 2014) suggest that directors with financial expertise can prevent the risk of a crisis. Cyber risk can threaten business continuity and must be continually overseen by the board (Moore et al., 2015). Besides, other specific expertise may be needed to identify, monitoring and overseeing cybersecurity risks, such as technical (IT), legal or ethical expertise. Although this expertise is a must for a cybersecurity effective management, the study of the role and the impact of this expertise on disclosure goes beyond the scope of this research.

The most recent Spencer Stuart Board Governance Trends reporting on the boards of the 100 largest Canadian companies noted a sharp increase in nonexecutive directors with financial backgrounds, including experience and/or credentials (SpencerStuart, 2021). The percentage of nonexecutive directors with financial expertise increased from 36% to 2016 to 46% in 2020, whereas technology expertise on boards hovered between 2016 (6%) and 2020 (7%). As cybersecurity strategy implies more than technical expertise, boards seem to prefer financial expertise or a multidisciplinary board, which improves its risk assessment and oversight capabilities, regarding strategic, technical and ethical aspects.

Based on these arguments, we expect that the presence of directors with financial and accounting expertise is positively associated with cybersecurity disclosure. Hence, we formulate our hypothesis:

H4: Board financial expertise is positively associated with cybersecurity disclosure.

4 Methodology

4.1 Sample and data collection

Our sample consists of the 60 largest companies listed on the Toronto Stock Exchange, forming the S&P/TSX 60 Index and representing vanguard companies in leading industries.Footnote 3 Our longitudinal study ranges from 2014 to 2018 and resulted in a final sample of 300 firm-year observations. We focus on the largest Canadian companies required to disclose risk-related information in their annual report. Given that Canadian Auditing Standards (CAS) introduced cybersecurity disclosure guides and regulation in 2013, this guidance would be reflected in corporate disclosures starting in 2014. The year 2018 was the last available year for data collection.

The sample’s distribution by industry is presented in Table 1. The most prominent sectors are energy, constituting 18.33% of the sample, followed by financial services, at 16.67%, and materials, at 13.33%. The information technology and communication services sectors respectively account for 8.33% and 6.67% of the sample, while the least represented sector is healthcare, at 3.33%. The proportion of cross-listed companies in the sample is 73.33%, while 26.67% of the companies are listed exclusively on the Toronto Stock Exchange. Although the study is Canadian-based, results from our research could be generalizable, in jurisdictions where cybersecurity risk disclosure and reporting are regulated and guided similarly to Canada, to large companies, since most of the companies are cross-listed.

Table 1 Sample Distribution by Sector
Full size table

Consistent with Radu & Smaili (2021), we followed several steps to collect data on cybersecurity disclosure. The data were manually collected, beginning with the firms’ annual reports, accessed through the System for Electronic Document Analysis and RetrievalFootnote 4 (Sedar). Using the keywords cyber, cybersecurity, security, cyber attack, attack, information security, information technology and IT, we selected the cybersecurity disclosure contained in the annual report. One of the researchers confirmed the automatically selected disclosure. Using our quantitative methodology, we measured the presence and volume of disclosure.

Data on board effectiveness were collected from the University of Toronto Board Shareholder Confidence Index (BSCI),Footnote 5 a database used in prior governance research (Ben-Amar & McIlkenny, 2015; Conheady et al., 2015). Other governance data were collected from complementary information in management or proxy circulars in Sedar, and financial data were collected from Compustat.

4.2 Research design

To test our hypotheses, we use two sets of regression models. The following binary LOGIT model, with cybersecurity disclosure decision as a dependent variable, is used to test H1.

$$\begin{array}{l}Cyber\_Discl\_Decisio{n_{i,t}} = {\beta _0} + {\beta _1}Effectivenes{s_{i,t}} + {\beta _2}Firm\_Siz{e_{i,t}} + \\{\beta _3}\Pr ofitabilit{y_{i,t}} + {\beta _4}Leverag{e_{i,t}} + {\beta _5}MT{B_{i,t}} + {\beta _6}Industr{y_{i,t}} + {\varepsilon _{i,t}}\end{array}$$
(1)

Where, for year t and firm i: Cyber_Discl_Decision is a binary variable coded 1 if the firm discloses cyber-related information and 0 otherwise; Effectiveness is board effectiveness as measured by the BSCI; control variables are Firm_Size as measured by the natural logarithm of total assets; Profitability is measured by ROA (return on assets); Leverage, by total liability divided by book value of equity; MTB is the market-to-book ratio; and Industry is a binary variable to control for the effect of industry membership, taking the value 1 for cyber-sensitive industries (commercial banks, insurance, IT, communications and electronic shopping) and 0 otherwise.

Our model for testing hypotheses H2, H3 and H4 is as follows.

$$\begin{array}{l}Cyber\_Discl\_Vo{l_{i,t}} = {\beta _0} + {\beta _1}Independenc{e_{i,t}} + {\beta _2}Board\_Siz{e_{i,t}} + \\{\beta _3}Expertis{e_{i,t}} + {\beta _4}Firm\_Siz{e_{i,t}} + {\beta _5}Profitabilit{y_{i,t}} + {\beta _6}Leverag{e_{i,t}} + \\{\beta _7}MT{B_{i,t}} + {\beta _8}Industr{y_{i,t}} + {\varepsilon _{i,t}}\end{array}$$
(2)

Where, for year t and firm i, the dependent variable, Cyber_Discl_Vol, is the volume of cybersecurity disclosure, the independent variables are Independence (proportion of independent directors on the board), Board_Size (number of directors on the board) and Expertise (proportion of directors with financial expertise on the board). Consistent with previous literature, we control for Firm_Size, measured by the natural logarithm of total assets, Profitability, measured by ROA, Leverage, measured by total liability divided by book value of equity, MTB and Industry, a binary variable to control for the effect of industry membership, taking the value 1 for cyber-sensitive industries (commercial banks, insurance, IT, communication and electronic shopping) and 0 otherwise.

Our sample includes panel data collected from 300 firm-year observations for the 2014–2018 period. A pooled OLS model could induce bias in estimators (De Andres & Vallelado, 2008). As Industry is a time-invariant variable, we used the Hausman test to determine the most appropriate model for our test (fixed or random effects). The results of the Hausman test (χ2 = 22.56, p = 0.002) indicated that fixed effects was the best approach.

4.3 Variables

4.3.1 Dependent variables

Two measures are used for cybersecurity disclosure. Consistent with prior research (Ben-Amar & McIlkenny, 2015), a binary variable measuring the firm’s decision to disclose information on cybersecurity is used in Eq. (1) and is labelled Cyber_Discl_Decision. It takes the value 1 if the firm discloses cybersecurity information and 0 otherwise. Our second dependent variable is the volume of cybersecurity disclosure, Cyber_Discl_Vol, used with Eq. (2). Similar to Campbell (2004), we measure disclosure volume as the number of words the firm uses to disclose cybersecurity information in its annual report.

4.3.2 Independent variables

Board effectiveness is a multidimensional concept. Some researchers measure board effectiveness using individual dimensions such as board independence, board size, board activity, audit committee independence, director ownership, board expertise or CEO duality (Elzahar & Hussainey, 2012; Lipton & Lorsch, 1992; Lorca et al., 2011). Others use a composite measure (Ben-Amar & McIlkenny, 2015; Switzer & Cao, 2011), as we do for this study. Board effectiveness (Effectiveness) is measured using the Board Shareholder Confidence Index. The index evaluates board effectiveness based on determinants of the board’s ability to fulfill its duties from a shareholder perspective (Fullbrook & Spizzirri, 2018), in line with the theoretical background of our hypothesis. Used by prior research (Ben‐Amar & McIlkenny, 2015; Conheady et al., 2015), the index evaluates governance variable groups in three categories: directors’ individual potential, the board’s group potential, and board decision outputs. The maximum score for an effective board is 150, and there are score deductions for non meeting the effectiveness criteria.

The first category, directors’ individual potential, assesses the effectiveness of individual directors and consists of several criteria: independence from management, as directors must represent the interests of stakeholders rather than managers; director interlocks and executive interlocks, given perceived risks that board members may make decisions in other companies’ interests if directors sit together on other boards or have interlocks with executives at other companies; excessive board membership, as a director must dedicate time to perform effectively; director attendance, since directors must have sufficient time to dedicate to the board; and director share ownership, which motivates directors to make decisions in the interest of shareholders.

The second category, the board’s group potential, which assesses the board’s collective effectiveness, consists of the CEO/chair split, since the board must act independently from management; board committee independence (audit, compensation and nominating committee), to ensure no conflict of interest mars the oversight role of the activities of executive compensation, financial audit and board nomination; share structure, which should provide balanced voting rights to allow the board to represent the interests of all shareholders; a management-free meeting policy, which is important while the board hires the CEO or evaluates CEO performance; director assessments, as the board skill matrix is useful for assessing the board’s collective skillset; continuing education and orientation, an important activity for developing individual skills; board retirement policies, to have a board renewed regularly; and a board gender diversity policy, to encourage better representation of women on boards.

The board decision output is the third category, including decisions with a dilution effect, i.e., pay-for-performance policies, pay risk management policies, change of control provisions, CEO share ownership, director election and executive succession planning.

Board independence (Independence) represents the ratio of non-executive board members divided by the total number of board members (Lu & Wang, 2018). Board size (Board_Size) is the total number of directors on the board (Hussain et al., 2018). Board financial expertise (Expertise) is the number of board members with finance and accounting skills and expertise, divided by the total number of board members (Minton et al., 2014).

4.3.3 Control variables

We control for variables used in prior research as determinants of disclosure: firm size (Hussain et al., 2018), profitability (Liao et al., 2015), leverage (Michelon & Parbonetti, 2012), MTB (Ben-Amar et al., 2021) and industry membership (Elzahar & Hussainey, 2012). Firm size (Firm_Size) is the natural logarithm of the firm’s total assets. As firm size indicates the number of firm stakeholders, bigger firms should respond to increased stakeholder pressure to disclose relevant information. It follows that volume of risk disclosure is positively associated with firm size (Zadeh & Eskandari, 2012), and a positive coefficient is predicted for firm size. Profitability (Profitability) is calculated as the ratio of opening income to total assets (ROA), and a positive coefficient is expected. The variable Leverage is the ratio of total debt divided by total assets. Higher leverage levels imply higher agency costs, and disclosure could reduce agency costs and information asymmetry (Lopes & Rodrigues, 2007). Hence, a positive coefficient is expected for leverage. Disclosure is associated with the firm’s use of capital and with the market valuation of shareholders’ wealth (Brammer et al., 2006). We expect a positive coefficient for MTB. Industry membership (Industry) is related to political costs (Watts & Zimmerman, 1990), but no prediction for the coefficient sign could be made.

Definitions of variables are summarized in Table 2.

Table 2 Summary of Variables Used in the Model
Full size table

5 Results

5.1 Descriptive statistics and correlations

Descriptive statistics are presented in Table 3. On average, 71.7% of our sample disclosed cybersecurity information. The percentage of disclosing firms increased steadily, from 56.7% to 2014, the first year of our analysis, to 85.0% in 2018, the last year of the study. This significant increase (p < 0.01) suggests increased awareness of cybersecurity over time.

Table 3 Descriptive Statistics
Full size table

On average, the volume of cybersecurity disclosure is 310.18 words. We note high dispersion of this volume in the sample, with a standard deviation of 325.29. The volume varies from 0 to 1759 words. On average, it also increases over time, from 161.2 words in 2014 to 461.6 in 2018, a significant increase of 186.4% (p < 0.0005).

Board effectiveness averages 124.5 out of 150, with no statistically significant differences over time. The average board effectiveness score is 83%, representing an equivalent score of 3 out of 6 based on the conversion used by Ben-Amar & McIlkenny (2015). It is comparable to the average board effectiveness of 2.52 for their Canadian sample for the 2008–2011 period.

The average percentage of independent board members is 76.3%, and there are no statistically significant differences over time. Average board size is 11 directors, and there is also no significant variation over time. On average, 47.6% of the directors have financial expertise, with no significant variation over the research period. The sample consists of the 60 largest Canadian firms in 2018, with a mean firm size of 10.49.

Table 4 presents Pearson’s bivariate correlation coefficients for the variables in our regression model (2). We note a significant positive correlation between volume of cybersecurity disclosure and board size, as predicted by our third hypothesis. We continue with the multivariate analysis in the next section.

Table 4 Correlation Matrix
Full size table

5.2 Multivariate analysis

Table 5 summarizes our test results for our first hypothesis. A LOGIT regression of cybersecurity disclosure decision on board effectiveness was carried out in Eq. (1). We first regress Cyber_Discl_Decision on control variables in model (1), as in the first column of Table 5, and in model (2), using board effectiveness as a predictive variable. Table 5 shows overall model significance (p < 0.0005) and a Pseudo R2 of 14.9%.

Table 5 Regression of Cybersecurity Disclosure Decision on Board Effectiveness
Full size table

Results in column (2) of Table 5 confirm our first hypothesis regarding an association between the decision to disclose cybersecurity information and board effectiveness. The coefficient on board effectiveness is positive (0.02) and strongly significant (p-value of 0.005), suggesting that more effective boards are more transparent and disclose cybersecurity-related information.

Concerning control variables, Table 5 shows a positive and significant coefficient on leverage. The decision to disclose cybersecurity information implies reducing agency costs. Information asymmetry and higher leverage are associated with more transparency. A negative and significant coefficient for market-to-book ratio is also reported in Table 5. A positive and significant coefficient on industry membership is consistent with prior literature on the influence of industry membership on the decision to disclose relevant information.

We continue with testing hypotheses H2 to H4. As we use longitudinal data, a Hausman test to decide between the fixed effects or random effects model was performed. Results of the Hausman test, (χ2 (7) = 20.64, Prob > χ2 = 0.0054), show that a fixed effects model is more appropriate for our sample. Therefore, a regression with a fixed effects model for panel data was used, based on Eq. (2). The fixed effects model controls for firm, year and industry. Results of the regression of cybersecurity disclosure volume on control variables are reported in column (1) of Table 6. Regression results including independent one-dimensional measures of board effectiveness, i.e., board independence, board size and board financial expertise, are presented in column (2) of Table 6. Overall, the model is statistically significant (F = 6.67, p < 0.0005), and the predictors explain 16.7% of the variation in the volume of cybersecurity disclosure.

Table 6 Regression of Cybersecurity Disclosure Volume on Governance Variables
Full size table

Regarding board independence, a positive and significant (p < 0.1) coefficient is reported in column (2) of Table 6. This finding suggests that more independent directors will disclose more cybersecurity information. As the coefficient for Board_size is not statistically significant, our hypothesis H3 regarding a positive association between board size and cybersecurity disclosure could not be confirmed. Board size seems to have no impact on the volume of disclosure.

A positive and significant coefficient on Expertise (304.3, p < 0.1) provides support for our hypothesis H4, whereby board members’ financial expertise has a positive impact on the volume of cybersecurity disclosure. Boards with more financial expertise are more transparent and increase the volume of cybersecurity-related information disclosed.

Consistent with prior research, we found that firm size has a positive and significant impact on cybersecurity disclosure. Bigger firms with more stakeholders face increased pressure to disclose relevant information.

As we expected, firm profitability has a positive impact on cybersecurity disclosure. Prosperous firms can afford higher costs related to disclosing relevant information to stakeholders. Similar to results reported in Table 5, the market-to-book ratio is negatively associated with disclosure.

6 Discussion and conclusion

Cybersecurity has become a critical issue for businesses, and more effort should be devoted to this concern. This research aimed to determine the influence of board effectiveness on disclosure of cybersecurity information. According to stakeholder theory, the board balances stakeholders’ demands and plays an important role in risk management. More effective boards better identify, discuss and manage risk. We consider that more effective boards are more likely to be transparent by providing disclosure on risk management, and particularly on cybersecurity. More specifically, we predicted that cybersecurity disclosure volume would be strongly and significantly influenced by one-dimensional measures of board effectiveness in the form of board independence, board size and board financial expertise.

Based on a sample of 300 firm-year observations for the 2014–2018 period and using a regression model, we empirically tested our hypothesis. The first hypothesis, predicting an association between board effectiveness and the decision to disclose information about cybersecurity, was confirmed. A more effective board is more transparent about cybersecurity. As Canadian regulation on cybersecurity emerged in 2013 to provide guidance regarding cyber risk management and disclosure, we note a continuous increase of cybersecurity disclosure over time. Firms grew increasingly aware of cyber risks and cybersecurity, and these issues became major disclosure topics in 2018, with an average number of 461.58 words devoted to cybersecurity, compared to 161.20 in 2014.

We expected board independence, board size and board financial expertise to have a positive impact on cybersecurity disclosure volume. Our hypothesis on the positive association between board independence, board financial expertise and disclosure is confirmed, but board size has no impact on the amount of cybersecurity information disclosed.

Independent members of the board, who act as a governance and oversight mechanism, significantly increase the disclosure of cybersecurity risks in the company’s financial statements. In addition, the board has a fiduciary role to monitor management. Financial expertise on the board contributes to risk assessment and management, but multifaceted expertise in technical, ethical and financial areas is required to monitor the emerging concern of cybersecurity. Board members should be continually trained to be aware of the evolution and diversification of business risks and to have appropriate skills and competencies to manage them. Our findings shed light on the positive impact of board members’ financial expertise on the volume of cybersecurity disclosure. We expected reasonably that the larger the board, the more likely is to include cybersecurity-specific expertise on the board, but we provide evidence of no such relationship between the board size and the cybersecurity disclosure. The lack of impact of board size on this disclosure may be due to the lack of cybersecurity-specific expertise among most of the directors.

Overall, board effectiveness as a composite measure, and some of its one-dimensional measures, board independence and financial expertise, have a positive effect on cybersecurity disclosure. These findings have practical implications for investors, management, board members and regulators. Given the positive impact of director independence and financial expertise on the disclosure of cybersecurity information, investors should ask for more independent boards with diversified expertise, including financial expertise. This will reduce the firm’s cyber risk by enhancing disclosure transparency and volume. As cybersecurity is an emerging topic that demands multifaceted expertise, managers and the board should have an appropriate training plan while seeking to attract skilled directors. Our results can also be useful for regulators, as disclosure requirements, guides and regulations encourage disclosure of cybersecurity information. More standards and regulations could help firms improve their cyber risk assessment, management and disclosure.

This research is not without limitations. As our sample consists of large Canadian firms, results may be relevant only for this type of entity and in jurisdictions where cybersecurity risk disclosure and reporting are regulated and guided such as in Canada and in U.S. Further research could investigate the impact of board effectiveness on small and medium enterprises. The last years have witnessed major changes in the use of business technologies and increases in remote work and online sales, making cybersecurity crucial for companies. Our study covers a period ending in 2018. It would be interesting to analyze recent developments and changes in the impact of board effectiveness on cybersecurity disclosure in the last three years. We examined some one-dimensional measures of board effectiveness, i.e., board independence, size and financial expertise. Other measures could provide extensive information about the influence of board effectiveness on cybersecurity and cybersecurity disclosure and could be the subject of future research. We tested the influence of financial expertise on cybersecurity disclosure; however, cyber-risk assessment and management demand the contribution of multiple disciplines. Other important board skills and expertise, such as technical (IT), legal or ethical expertise, could have an impact on cybersecurity and are worth investigating. In addition, other board functions than audit committee or audit and risk committee would deal with cybersecurity risk disclosure. It would be interesting to further investigate what specific expertise is associated with this form of disclosure besides financial or accounting expertise. We focused on the annual report for cybersecurity disclosure. Firms can use other reports to disclose cybersecurity information and associated risks. A review of disclosures contained in various reports would provide additional insight into these different disclosure sources.